Scroll to content
School Logo

St Joseph's

Catholic Primary School

Inspired by Christ, Working Together, Achieving Our Best

Publications Scheme

Publishing for Transparency Procedure

Information resources to publish on the School website to comply with GDPR Transparency requirements



1.     Policies.

2.     Privacy Statement & Notices.

3.     Rights.

4.     Emails.


The following activities are designed to help the School make basic information available on its website that the public and the Regulator would expect to have available under GDPR. There is a requirement to be open and transparent about Data Processing and publishing the following information will be effective evidence that the School is complying.



The following documents should be published on a page where your main school policies are already published. You are free to add in any branding which shows the documents are owned by the School (such as the School logo etc.):


Data Protection Policy


Statutory Requests for Information Policy


Publication Scheme


Privacy Statement & Notices

This content should be published on a web page that is ‘one-click’ away from the School website Home Page. Most website templates have Home Page links to content such as ‘Privacy Policy’ or ‘About Cookies’.

The following document is a statement covering the School’s commitment to privacy and what information the website captures about users (including Cookies), therefore you only need one link to this. We suggest the link is titled “Privacy Notices”

If your website template does not have an existing link for a ‘Privacy Notices’ or ‘Cookies’, then approach your web designer for one to be added. Failing that, you should have a menu item titled “Privacy” which links to this content


Overarching Privacy Notice


Child Friendly Privacy Notice


On the page where the Privacy Notices are published, you should provide links to any of the following ‘Privacy Notices’ which are relevant to your school.

Each relevant Privacy Notice should be checked first to ensure the content is accurate and the School is satisfied that it can meet the commitments it is making through the Notices.

You are free to add in any branding which shows the documents are owned by the School (such as the School logo etc).

Each Privacy Notice should have its own URL (web address) to which you can provide links from any forms where you collect personal data.


Processing for Security purposes (including ID Cards and Visitor Data) A separate section is included for CCTV that can be removed if not required


Processing under ‘Consent’ (e.g. Marketing)


Processing under ‘Consent’ (use of Photo and Video, and additional school activities)


Delivery of the Curriculum and Pastoral Care


Processing of Employee Data


Processing of Governor Data


Processing of school volunteer data


Processing of Online Payments


Processing of Biometric Data


Publishing Pupil Coursework


Processing of visitor data


As your school processes special category personal data it is required to have a Data protection Policy Statement to provide assurance on how it handles such information.  This should also be published alongside your privacy notices

Data Protection Policy Statement



You should also publish your Security Measures Document (H2) alongside your privacy notices to make clear the steps the school has taken to protect the personal data in its custody.


Security Measures Document




The following document can be published to help parents/ guardians understand their rights when making Data Protection related requests of the School.


Although it is not technically a Policy, it is closely related to the content of the Statutory Requests for Information Policy and may make sense to publish alongside this Policy.


The Parents Guide to Subject Access Requests (SAR) clarifies when they are able to make a SAR and how to make a requests, as well as managing expectations regarding timescales and what happens if their child is over 12.



GDPR Rights Guidance for Parents/ Guardians


Parents’ Guide to Subject Access Request



It is good practice to add a disclaimer to all emails that leave your organisation, to protect any personal data within the communication. You can ask your IT Provider if they can add this to your global settings, so that it does not have to be added individually. The following is suggested wording:

This email and any attachments may contain legally privileged or confidential information. Any use, copying or disclosure other than by the intended recipient is unauthorised. If you have received this message in error, please notify the sender and confirm that it has been deleted from your system and no copies have been made.